Detection Device, Detection System, and Detection Method

The present disclosure relates to a detection device, a detection system, and a detection method.

This application claims priority on Japanese Patent Application No. 2022-88140 filed on May 31, 2022, the entire content of which is incorporated herein by reference.

PATENT LITERATURE 1 (International Publication No. WO2020/234940) discloses a caution-needed IP address estimation device as below. That is, the caution-needed IP address estimation device includes: an acquisition means configured to acquire, based on the degree of exposure of a subject covered by mass media, an IP address associated with the subject as a caution-needed IP address; and a transmission means configured to transmit the caution-needed IP address to an NW monitoring information database device.

PATENT LITERATURE 2 (Japanese Laid-open Patent Publication No. 2021-507375 (translation of PCT International Application)) discloses a method for monitoring a device, as below. That is, the method includes: a step of accessing a first indicator associated with a first device and indicating a security risk level; a step of accessing communication information associated with the first device; a step of determining, by a processing device, based on the communication information, a second device in communication with the first device; a step of setting a second indicator associated with the second device, based on information associated with the first device; and a step of storing the second indicator associated with the second device.

PATENT LITERATURE 1: International Publication No. WO2020/234940

PATENT LITERATURE 2: Japanese Laid-open Patent Publication No. 2021-507375 (translation of PCT International Application)

A detection device of the present disclosure is configured to detect an abnormality in a network. In the network, transmission and reception of a plurality of messages including a response message are performed by a plurality of communication apparatuses. The detection device includes: an acquisition unit configured to acquire a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network, the plurality of pieces of load information respectively indicating communication loads due to the messages whose transmission sources are different from each other; and a detection unit configured to detect an abnormality in the network, based on consistency between the plurality of pieces of load information acquired by the acquisition unit.

A detection system of the present disclosure is configured to detect an abnormality in a network. In the network, transmission and reception of a plurality of messages including a response message are performed by a plurality of communication apparatuses. The detection system includes: a plurality of extraction devices configured to respectively extract the messages whose transmission sources are different from each other, the messages respectively passing through locations different from each other in the network; a plurality of observation units configured to respectively observe the messages extracted by the plurality of extraction devices; a load calculation unit configured to generate, based on observation results by the plurality of observation units, a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network; and a detection unit configured to detect an abnormality in the network, based on consistency between the plurality of pieces of load information generated by the load calculation unit.

A detection method of the present disclosure is performed in a detection device configured to detect an abnormality in a network. In the network, transmission and reception of a plurality of messages including a response message are performed by a plurality of communication apparatuses. The detection method includes the steps of: acquiring a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network, the plurality of pieces of load information respectively indicating communication loads due to the messages whose transmission sources are different from each other; and detecting an abnormality in the network, based on consistency between the plurality of pieces of load information having been acquired.

An aspect of the present disclosure can be realized not only as a detection device including such a characteristic processing unit, but also as a program for causing a computer to execute steps of such characteristic processing, or as a semiconductor integrated circuit that realizes a part or the entirety of the detection device.

To date, technologies for detecting an abnormality such as an unauthorized access in a network have been proposed.

The technology described in PATENT LITERATURE 1 is a technology that quickly detects increase in communication load by monitoring a caution-needed IP address on a network, but it is necessary to acquire information of the communication load during normal time in advance. In addition, in the technology described in PATENT LITERATURE 1, every time the network configuration is changed, it is necessary to reacquire information of the communication load during normal time in the network after the change. In the technology described in PATENT LITERATURE 2 as well, it is necessary to acquire information of traffic during normal time in advance, and every time the network configuration is changed, it is necessary to reacquire information of traffic during normal time in the network after the change.

Beyond the technologies described in PATENT LITERATURES 1 and 2, a technology that can stably detect an abnormality in a network by using less information is desired.

The present disclosure has been made in order to solve the above-described problem. An object of the present disclosure is to provide a detection device, a detection system, and a detection method that can stably detect an abnormality in a network by using less information.

According to the present disclosure, an abnormality in a network can be stably detected by using less information.

First, contents of embodiments of the present disclosure are listed and described.

(1) A detection device according to an embodiment of the present disclosure is configured to detect an abnormality in a network. In the network, transmission and reception of a plurality of messages including a response message are performed by a plurality of communication apparatuses. The detection device includes: an acquisition unit configured to acquire a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network, the plurality of pieces of load information respectively indicating communication loads due to the messages whose transmission sources are different from each other; and a detection unit configured to detect an abnormality in the network, based on consistency between the plurality of pieces of load information acquired by the acquisition unit.

Thus, due to the configuration in which an abnormality in the network is detected based on the consistency between a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network, an abnormality can be detected without using the load information during normal time in the network. Therefore, an abnormality can be detected without acquiring the load information during normal time in advance or acquiring, every time the network configuration is changed, the load information during normal time in the network after the change. Therefore, an abnormality in the network can be stably detected by using less information.

(2) In (1) above, the acquisition unit may acquire three or more pieces of the load information respectively indicating communication loads at three or more locations in the network, and the detection unit may identify an abnormality location in the network, based on the consistency for each combination of two pieces of the load information included in the three or more pieces of load information.

Accordingly, the abnormality location in the network can be more specifically identified.

(3) In (1) or (2) above, in the network, transmission and reception of the messages may be performed between a first of the communication apparatuses and a plurality of the communication apparatuses different from the first communication apparatus, the acquisition unit may acquire a first of the load information indicating a communication volume of the message whose transmission source is the first communication apparatus, and a second of the load information indicating a communication volume of the message whose transmission source is the communication apparatus different from the first communication apparatus, and the detection unit may detect an abnormality in the network, based on the consistency between the communication volume of the message indicated by the first load information and the communication volume of the message indicated by the second load information.

With this configuration, an abnormality in the network in which one-to-many communication is performed can be detected.

(4) In any of (1) to (3) above, the detection device may further include an observation unit configured to observe an output, of the message having been extracted, performed by an extraction device, the extraction device being configured to extract the message transmitted from the communication apparatus, the extraction device being configured to output the message having been extracted, to another of the communication apparatuses and the detection device, and the acquisition unit may generate the load information, based on an observation result from the observation unit.

With this configuration, the degree of freedom of the measurement position of the communication load in the network can be enhanced.

(5) In (3) above, the acquisition unit may acquire the load information indicating a communication load calculated based on a number of the response messages predicted based on a type of the message transmitted by the first communication apparatus and the communication volume of the message transmitted by the first communication apparatus.

With this configuration, an abnormality in the network can be detected by using the load information based on the number of response messages to the first communication apparatus predicted based on the type of the message. Therefore, an abnormality in the network in which various types of messages such as a multicast message and a broadcast message are transmitted and received can be detected.

(6) In (5) above, the acquisition unit may acquire the load information indicating a communication load calculated based on a number of the response messages predicted further based on header information of the message transmitted by the first communication apparatus.

With this configuration, the number of response messages can be predicted based on the type and contents of the message. Therefore, an abnormality in the network in which various types of messages are transmitted and received can be more accurately detected.

(7) A detection system according to an embodiment of the present disclosure is configured to detect an abnormality in a network. In the network, transmission and reception of a plurality of messages including a response message are performed by a plurality of communication apparatuses. The detection system includes: a plurality of extraction devices configured to respectively extract the messages whose transmission sources are different from each other, the messages respectively passing through locations different from each other in the network; a plurality of observation units configured to respectively observe the messages extracted by the plurality of extraction devices; a load calculation unit configured to generate, based on observation results by the plurality of observation units, a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network; and a detection unit configured to detect an abnormality in the network, based on consistency between the plurality of pieces of load information generated by the load calculation unit.

Thus, due to the configuration in which an abnormality in the network is detected based on the consistency between a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network, an abnormality can be detected without using the load information during normal time in the network. Therefore, an abnormality can be detected without acquiring the load information during normal time in advance or acquiring, every time the network configuration is changed, the load information during normal time in the network after the change. Therefore, an abnormality in the network can be stably detected by using less information.

(8) A detection method according to an embodiment of the present disclosure is performed in a detection device configured to detect an abnormality in a network. In the network, transmission and reception of a plurality of messages including a response message are performed by a plurality of communication apparatuses. The detection method includes the steps of: acquiring a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network, the plurality of pieces of load information respectively indicating communication loads due to the messages whose transmission sources are different from each other; and detecting an abnormality in the network, based on consistency between the plurality of pieces of load information having been acquired.

Thus, due to the method in which an abnormality in the network is detected based on the consistency between a plurality of pieces of load information respectively indicating communication loads at a plurality of locations in the network, an abnormality can be detected without using the load information during normal time in the network. Therefore, an abnormality can be detected without acquiring the load information during normal time in advance or acquiring, every time the network configuration is changed, the load information during normal time in the network after the change. Therefore, an abnormality in the network can be stably detected by using less information.

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. In the drawings, the same or corresponding parts are denoted by the same reference signs, and descriptions thereof are not repeated. At least some parts of the embodiments described below can be combined together as desired.

shows an example of a configuration of a detection system and a detection target network according to a first embodiment of the present disclosure. With reference to, a detection systemincludes a detection deviceand extraction devicesA,B. The extraction devicesA,B are an example of an extraction device. The extraction deviceA includes communication ports PA, PA. The extraction deviceB includes communication ports PB, PB. The extraction deviceA transmits a message received via one of the communication ports PA, PA, via the other of the communication ports PA, PA. The extraction deviceB transmits a message received via one of the communication ports PB, PB, via the other of the communication ports PB, PB. The detection systemdetects an abnormality in a network.

The networkincludes communication apparatusesA,B, which are each a communication apparatus, and a switch device. The switch devicerelays information exchanged between the communication apparatusesA,B. The switch deviceincludes communication portsA,B. The communication portsA,B are each a connector or a terminal, for example. The networkmay be an in-vehicle network, a home network, or a factory automation network.

The communication apparatusA is connected to the communication port PAin the extraction deviceA via a transmission line. The communication apparatusB is connected to the communication port PBin the extraction deviceB via the transmission line. The communication port PAin the extraction deviceA is connected to the communication portA in the switch devicevia the transmission line. The communication port PBin the extraction deviceB is connected to the communication portB in the switch devicevia the transmission line. The transmission lineis an Ethernet (registered trademark) cable, for example.

In the network, transmission and reception of a plurality of messages including a response message are performed by a plurality of communication apparatuses.

More specifically, the plurality of communication apparatuseseach perform, as a response to a reception message received from another communication apparatus, transmission and reception of a message in accordance with a predetermined communication protocol Prtl, such as an ARP (Address Resolution Protocol) and SOME/IP (Scalable service-Oriented MiddlewarE over IP), for transmitting a response message to the other communication apparatus.

For example, the communication apparatusA operating as a client periodically or non-periodically generates a message addressed to the communication apparatusB according to the communication protocol Prtl, and transmits the generated message to the switch devicevia the transmission lineand the extraction deviceA. The switch devicetransmits the message received from the communication apparatusA, to the communication apparatusB via the transmission lineand the extraction deviceB.

When having received a message from the communication apparatusA via the switch device, the communication apparatusB operating as a server generates a response message according to the communication protocol Prtl, and transmits the generated response message to the switch devicevia the transmission lineand the extraction deviceB. The switch devicetransmits the response message received from the communication apparatusB, to the communication apparatusA via the transmission lineand the extraction deviceA.

The extraction devicesA,B extract messages whose transmission sources are different from each other, the messages respectively passing through locations different from each other in the network. More specifically, the extraction deviceA includes a filter fa (not shown) that extracts a message, among received messages, that includes the address of the communication apparatusA as the transmission source address. The extraction deviceB includes a filter fb (not shown) that extracts a message, among received messages, that includes the address of the communication apparatusB as the transmission source address. The extraction devicesA,B have a function of a repeater hub.

The extraction deviceA duplicates the message extracted through the filter fa among the messages received via the communication port PA. The extraction deviceA transmits the extracted message via the communication port PA. The extraction deviceA further transmits the duplicate of the extracted message to the detection devicevia the transmission line. The extraction deviceA may transmit the extracted message to the detection devicevia the transmission lineand transmit the duplicate of the extracted message via the communication port PA.

The extraction deviceB duplicates the message extracted through the filter fb among messages received via the communication port PB. The extraction deviceB transmits the extracted message via the communication port PB. The extraction deviceB further transmits the duplicate of the extracted message to the detection devicevia the transmission line. The extraction deviceB may transmit the extracted message to the detection devicevia the transmission lineand transmit the duplicate of the extracted message via the communication port PB.

The extraction deviceA need not necessarily be configured to be connected to the communication apparatusA via the transmission line. The extraction deviceA may be an adaptor mounted to the communication apparatusA. In this case, the extraction deviceA extracts a message outputted from the communication apparatusA, outputs the extracted message to the switch devicevia the transmission line, and outputs a duplicate of the extracted message to the detection devicevia the transmission line.

The extraction deviceB need not necessarily be configured to be connected to the communication apparatusB via the transmission line. The extraction deviceB may be an adaptor mounted to the communication apparatusB. In this case, the extraction deviceB extracts a message outputted from the communication apparatusB, outputs the extracted message to the switch devicevia the transmission line, and outputs a duplicate of the extracted message to the detection devicevia the transmission line.

The detection deviceincludes a reception unit, a load calculation unit, a detection unit, and a storage unit. The reception unitincludes observation unitsA,B, which are each an observation unit. The load calculation unitincludes calculation unitsA,B, which are each a calculation unit. The load calculation unitis an example of an acquisition unit. Some or all of the reception unit, the load calculation unit, and the detection unitare realized by processing circuitry including one or a plurality of processors, for example. The storage unitis a nonvolatile memory included in the above processing circuitry, for example. The detection deviceperforms a detection process of detecting an abnormality in the network.

The storage unithas stored therein network information indicating the topology of the networkand the communication protocol Prtl in the network. For example, the network information is stored in the storage unitby a manager of the network.

The plurality of observation unitsobserve messages respectively passing through locations different from each other in the network. That is, the observation unitsA,B respectively observe messages extracted by the extraction devicesA,B.

For example, the observation unitA observes an output of an extracted message performed by the extraction deviceA. More specifically, the observation unitA receives, via the transmission line, a message extracted by the extraction deviceA. The observation unitA periodically or non-periodically extracts one or a plurality of messages according to the communication protocol Prtl described above, out of one or a plurality of messages received in an observation period Thaving a predetermined length. The observation unitA outputs an observation result including each extracted message, to the calculation unitA.

For example, the observation unitB observes an output of an extracted message performed by the extraction deviceB. More specifically, the observation unitB receives, via the transmission line, a message extracted by the extraction deviceB. The observation unitB periodically or non-periodically extracts one or a plurality of messages according to the communication protocol Prtl described above, out of one or a plurality of messages received in the observation period T. The observation unitB outputs an observation result including each extracted message, to the calculation unitB.